W32/Rbot-YJ is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-YJ connects to an IRC channel and listens for commands from a remote attacker. The worm may also spread to remote network shares, or by DCC.
W32/Rbot-YJ contains functionality to do any of the following:
- participate in denial of service attacks
- provide a remote command shell
- run a file server
- steal Windows passwords
When first run W32/Rbot-YJ copies itself to the Windows system folder as WREGISTRY.EXE and creates the following registry entries in order to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Registry Service
wregistry.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows Registry Service
wregistry.exe
The worm may make the following additional registry change:
HKCU\Software\Microsoft\OLE
Microsoft Windows Registry Service
wregistry.exe